Subject: Re: Existence of Thorough "Wipe-File" Util?

This is an update of my previous post on "1 Dec 1995 02:02:07 GMT"
which contained 4 small DOS utilities.  I have tested these utilities
on myself under DOS 5.0 and 6.2.  Any precautions which apply to
using commercial wipers should probably apply here.  i.e. - don't run
ZAPSWAP while Windows is running.  :)  If you wish, you can test them
out on a floppy or ramdisk.

Constructive comments are welcome at voyageur@sky.net.  I permit
free, non-commercial usage of these programs, but retain copyright
ownership.

The size and CRC-32 values of the current 1/28/96 versions of these
programs are:

BIGFILE.COM	3DDFED4C	197 bytes
BIGFILE2.COM	CD886FF6	193 bytes
ZAPEMPTY.COM	13D34F6A	324 bytes
ZAPFILE.COM	ACA1D559	348 bytes
ZAPSWAP.COM	1E07082D	341 bytes
ZAPTIPS.COM	5A4AADD6	471 bytes

	Copr. 1995, 96 by Mark Andreas

The main changes to the utilities are:

*  Added code the the ZAP*.COM utilities which 'should' flush the
   disk cache's buffer after each pass during multiple wipes.

*  Multiple wipes.  For all utilities which do disk wipes, you can
   list a number on the command-line to indicate the number of wipes.
   Since ZAPFILE needs a filename on its command line, it needs a '/'
   preceding the number.

*  When doing multiple wipes, alternates writing FF and 00's to disk.
   For each write attempt, the utilities alternate between displaying
   01 and its NOT (FE hex) on the screen.  Instructions given at the
   end for changing these values.

*  In case of disk error, such as file not found, or unable to wipe
   entire area - several utilities sound a BIOS beep.

The previous 4 utilities were:

1) BIGFILE.COM and 2) BIGFILE2.COM

When DOS deletes a file, it doesn't delete the information from the
disk, it just clears the FAT table clusters used by that file, and
changes the 1st character of the filename to E5 hex.  BIGFILE.COM
grabs all free space on the current drive and saves it to filename
"aaaaaaaa.$$$" (Or a similar name if that's already used).  You can
load that file into a file viewer to see what information is on the
disk.  If you haven't run a disk wiper recently, chances are good
that you'll find stuff you deleted a while back.

Note: the version previously posted will alter the 1st sector,
because some early versions of DOS required writing at least 1 byte
to the file, to prevent corrupting the FAT table.  If you have a
newer DOS, you can use BIGFILE2.COM, which doesn't write that 1 byte
to the file.  I had no problems under DOS 5.0 or 6.2.

3) ZAPEMPTY.COM

To hinder someone's ability to recover information from your disk,
ZAPEMPTY.COM overwrites the free areas on the current drive.
ZAPEMPTY operates entirely through normal DOS INT 21h calls, and
doesn't do any fancy analysis of the FAT Table or any absolute disk
writes to unallocated clusters.  For all practical purposes, it is
the same as running BIGFILE.COM followed by "ZAPFILE AAAAAAAA.$$$".


4) ZAPFILE.COM

	Syntax: ZAPFILE filename
	or	ZAPFILE /# filename   ... where # is 1-255

Hinders undeleting of a file by:

	1) Opens the file.
	2) Write throughout the file (repeats if specified).
	3) Change the filesize to 0.
	4) Close the file.
	5) Changes the file's date/time stamp to 1/1/1980.
	6) Renames to a 1-character filename.
	7) Delete the file.

If someone tries to undelete the file, the only clue remaining about
the file is that the deleted directory entry still lists the sector
number where the file began, but has been wiped.

5) ZAPSWAP.COM

To keep someone from finding information inside your WINDOWS
permanent swap file, ZAPSWAP.COM scribbles throughout the
386spart.par file in the current drive's root directory, without
altering the size, disk position, or date/time.  When you load
Windows (you didn't run this while running windows, right?), Windows
won't give any warning about a corrupted swapfile.  All Windows cares
about is that the swapfile is located at a certain spot, and is
contiguous.

If you have another file which you need to wipe without deleting,
alter the script by replacing the "\386spart.par",00 with the other
filename.  Alter the filesize if needed, but be sure to keep the
',00' at the end.

			*	*	*

Below is a new utility, published for the first time:

6) ZAPTIPS.COM

There is a security hole in many 'rapid wiper' utilities which wipe
drive free-space.  After deleting all sensitive files from a hard
drive, then running ZAPEMPTY.COM (or another program such as Norton
Utility's "WIPEINFO c: /E /BATCH"), you might think you've just wiped
all sensitive info.  Not necessarily.  If you load a recently edited
file such as AUTOEXEC.BAT or CONFIG.SYS into a binary editor, such as
Norton's DISKEDIT, there's a chance that there is data at the end of
the cluster which hasn't been wiped, but doesn't belong to that file
either.  Because DOS allocate disk space in cluster units, if the
cluster size is 2kb, a 100-byte AUTOEXEC.BAT reduces free-space by
the same amount as if the file were 2048 bytes, even though the file
is only 100 bytes long.

ZAPTIPS writes through the slack space for all files in the current
directory, displaying the filenames as it goes along.  On multiple
wipes, it alternates between showing the filenames in upper and lower
case.

Note: ZAPTIPS won't erase information in a disk file, because
ZAPTIPS gets the filesize and writes BEYOND it.  But, if the PC
hangs or is turned-off while ZAPTIPS is running, it is possible for
the size and/or file time to be altered.  This is because ZAPTIPS:

1) opens a disk file
2) saves the attribute, date/time and size
3) writes beyond the file size up to the end of the cluster
4) restores the original file's size, date/time, and attribute.

You'll get this same kind of warning from disk optimizers about not
turning off the PC while they're running (or at least you should get
it).  Since ZAPTIPS is only writing to the area beyond the
End-of-File, the only possible change to the file could be a larger
filesize, or a changed time stamp due to the reboot happening between
#3 and #4.

ZAPTIPS currently recurses over the entire drive.  It can take quite
a while to access each file on a large hard drive which might have as
many as 5,000 or 10,000 files.  If you wish ZAPTIPS to only operate
on the current subdirectory and below, use the following patch:

DEBUG ZAPTIPS.COM
E 14E 90 90
W
Q

		-	-	-	-	-

Currently, during multiple wipes, the display alternates between 01h
and FEh, and the wipes use 00h and FFh, which are loginal NOT's of
each other.  To alter these values, use the following patch locations
for the wiper files:

		   Screen Symbol	     Wipe Value

ZAPEMPTY.COM		0181			016C
ZAPSWAP.COM		0184			016F
ZAPFILE.COM		0188			0173
ZAPTIPS.COM		01A8			0158

The Screen Symbol is currently 01, and the Wipe Value is currently
FF.  For example, to alter ZAPFILE to use 0F and F0 as screen
symbols, and alternate between 5A and A5 when wiping, run DEBUG:

DEBUG ZAPFILE.COM
E 0188 0F
E 0173 5A
W
Q

